System managementIntermediate19 min read

What Does lsmod Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

lsmod shows you what extra parts of the Linux kernel are currently active. Think of it like checking which plugins are running in a web browser. It lists each module, its size, and what other modules rely on it.

Commonly Confused With

lsmodvslspci

lspci lists PCI hardware devices connected to the system, while lsmod lists kernel modules (drivers) loaded into the kernel. A device can be present (shown by lspci) but without its driver loaded (not shown by lsmod). They are complementary, not interchangeable.

To troubleshoot a missing network card, run lspci to see if the card is detected, then run lsmod to see if its driver module is loaded.

lsmodvsmodprobe

modprobe is used to load or unload kernel modules with automatic dependency resolution. lsmod only lists currently loaded modules. You cannot load a module with lsmod; you use modprobe, then use lsmod to verify.

You type 'modprobe e1000' to load the Intel Ethernet driver, then type 'lsmod' to confirm it appears in the list.

lsmodvsmodinfo

modinfo displays detailed information about a kernel module, such as its author, license, description, and parameters. lsmod only shows the module name, size, and usage count. If you need to know what a module does, you run modinfo after finding its name via lsmod.

Run 'lsmod' to find a module named 'nouveau', then run 'modinfo nouveau' to learn it is the open-source NVIDIA graphics driver.

lsmodvsinsmod

insmod loads a single module file directly but does not resolve dependencies. lsmod is used after insmod to verify the module loaded, but lsmod itself does not load anything.

You run 'insmod /path/to/module.ko' and then 'lsmod' to check if the module is now listed.

Must Know for Exams

lsmod is a core command covered in several major Linux certification exams, including the CompTIA Linux+ (XK0-005), Red Hat Certified System Administrator (RHCSA, EX200), and Linux Professional Institute LPIC-1 exams. In the CompTIA Linux+ exam, the objectives for system management include 'Given a scenario, manage kernel modules.' This scenario-based objective requires candidates to know how to list, load, unload, and gather information about kernel modules. lsmod is the primary command for listing loaded modules, so it appears in questions about verifying module status, troubleshooting module loading failures, and understanding module dependencies.

In the RHCSA exam, candidates must be able to manage kernel modules for hardware support. This includes adding new modules, removing them, and ensuring persistence across reboots. lsmod is the go-to tool for verification. A typical exam task might be: 'Configure the system to load the kernel module for a new storage controller, and verify it is loaded.' The verification step relies on lsmod. Exam questions often present a scenario where a device is not working, and the candidate must use lsmod to confirm the driver is loaded, then use modinfo to check its parameters, and then use modprobe to load it.

For LPIC-1, objective 102.6 covers kernel modules, and candidates are expected to use lsmod, modprobe, insmod, rmmod, and modinfo. Questions may include interpreting the output of lsmod to determine which modules depend on each other, calculating memory usage of loaded modules, or identifying which module is associated with a particular hardware device. Multiple-choice and fill-in-the-blank formats are common.

In all these exams, the concept of /proc/modules is also important. A question might ask directly: 'Which file does the lsmod command read?' The answer is /proc/modules. Another question pattern: 'After inserting a module, how do you verify it is loaded?' The answer: use lsmod. Understanding lsmod in the context of the broader module management toolset is critical for passing these exams.

Simple Meaning

Imagine your computer's operating system, Linux, is like a basic car. The standard engine, wheels, and seats are the core kernel, always there and always running. Now, if you want to add a sunroof, a towing hitch, or a better sound system, you need to install extra parts. In Linux, these extra parts are called kernel modules. They are pieces of software that add functionality to the system without having to rebuild the whole operating system.

lsmod is the tool that lets you peer under the hood and see which of these extra parts are currently installed and working. It performs a simple task: it reads a special file inside the Linux system called /proc/modules and displays the information in a clean, easy-to-read table. The table has three columns: Module (the name of the extra part, like the name of a car accessory), Size (how much memory that part is using, like the weight of the accessory), and Used by (which other parts or programs are currently using that module, like which other accessories depend on your towing hitch).

This command is incredibly useful for system administrators and IT support staff because it helps them understand what is running on a machine. If a network card is not working, you can use lsmod to check if the module for that card is loaded. If you suspect a security vulnerability related to a particular module, you can see if it is loaded and take action. It is a fundamental diagnostic tool that gives you a snapshot of the kernel's current state, making it essential for troubleshooting hardware, software, and performance issues.

Full Technical Definition

lsmod is a command-line utility on Linux systems that lists the currently loaded kernel modules. It retrieves its data by reading and parsing the /proc/modules file, which is a virtual filesystem interface provided by the Linux kernel. The /proc filesystem is a pseudo-filesystem that provides a real-time view of kernel data structures. Specifically, /proc/modules contains a line for each loaded module, with fields that include the module name, the amount of memory it occupies (in bytes), the number of references to the module (instances of use), the dependency list (other modules that require this module), and the base address where the module is loaded in kernel memory.

The output of lsmod presents this information in a formatted table with three columns: Module (the module name), Size (memory size in bytes), and Used by (a count of how many other modules or system processes are using this module, followed by a comma-separated list of those dependents). This is essential for understanding module interdependencies. For example, a filesystem driver module like ext4 may be used by multiple processes, while a hardware driver like e1000 for Intel network cards might list zero uses if no network traffic is currently active but the module is still loaded and ready.

In IT implementation, lsmod is part of a suite of module management commands that also includes modprobe (to load or unload modules with dependency resolution), insmod (to insert a module manually), rmmod (to remove a module), and modinfo (to display detailed module metadata). These commands work with kernel modules stored in the /lib/modules/ directory, organized by kernel version. When a module is loaded, the kernel's module loader handles initialization, memory allocation, and registration of module functions with the kernel's subsystem interfaces, such as filesystems, network protocols, or device drivers.

Exam-relevant aspects include understanding that lsmod is a read-only diagnostic tool; it does not modify system state. It is often used after running modprobe to confirm that a module loaded successfully. In troubleshooting scenarios, an administrator might use lsmod to see if a module for a new graphics card or Wi-Fi adapter is present. In security contexts, lsmod can reveal unwanted or malicious kernel modules that may have been installed by rootkits. Since Linux certification exams like CompTIA Linux+, Red Hat RHCSA, and LPIC-1 include system management objectives, knowing lsmod and its relationship to /proc/modules is fundamental for module management tasks.

Real-Life Example

Think of a large kitchen in a restaurant. The kitchen itself is always there, the stove, the countertops, the sinks. These are like the core Linux kernel. But the kitchen also has many small appliances that are brought out only when needed. For example, there is a food processor for chopping vegetables, an ice cream maker for desserts, and a blender for smoothies. These appliances are like kernel modules, they add specific capabilities to the kitchen that are not always required.

Now, the head chef wants to know which appliances are currently plugged in and ready to use. She goes to the utility closet and looks at a whiteboard that lists all the appliances currently connected to the power outlets. The whiteboard shows three columns: Appliance Name (like "Blender"), Power Consumption in watts (like 300W), and Which Other Appliances Depend on It (like the blender might be needed by the smoothie station). This whiteboard is exactly like lsmod.

When the chef sees "Blender - 300W - Used by: Smoothie Station", she knows the blender is ready and consuming power. If she wants to set up a new toaster, she would first plug it in (like using modprobe) and then check the whiteboard (lsmod) to confirm it appears. If a new ingredient requires a specific appliance that is not on the whiteboard, she knows it needs to be added. This analogy helps IT learners understand that lsmod gives a real-time snapshot of what is active, enabling informed decisions about loading or unloading modules, much like a chef managing kitchen equipment.

Why This Term Matters

lsmod matters in practical IT because it is the simplest and safest way to inspect the kernel's active extensions without any risk of breaking the system. In a production environment, system administrators often deal with hardware that was not originally present when the operating system was installed, such as adding a new network interface card (NIC), a RAID controller, or a USB device. When the hardware is detected, the kernel may automatically load the appropriate driver module, but sometimes it does not, or the wrong module is loaded. lsmod allows the admin to verify that the correct module is present and that no conflicting modules are loaded.

lsmod is crucial for performance monitoring. Each loaded module consumes kernel memory, even if it is not actively being used. In systems with limited resources, such as embedded devices or virtual machines, keeping unused modules loaded wastes precious memory. By using lsmod, an admin can identify modules that are not needed and unload them with rmmod, freeing up resources. This is a common optimization task in server hardening and performance tuning.

Security is another critical area. Rootkits and malware sometimes insert malicious kernel modules to hide processes, files, or network connections. While sophisticated rootkits may attempt to hide their modules from lsmod, the command is still a first-line defense. An unexpected module with a suspicious name or one that is not part of the standard distribution should immediately raise a red flag. In security auditing, running lsmod is a standard step when investigating a compromised system.

Finally, lsmod is essential for troubleshooting boot issues and hardware failures. When a system fails to recognize a device, the admin can check lsmod to see if the driver module is loaded. If it is not, they can load it manually with modprobe and test. This step-by-step diagnostic approach is fundamental in IT support and is directly tested in certification exams.

How It Appears in Exam Questions

lsmod appears in certification exam questions in several distinct patterns. First, there are direct knowledge questions where the candidate is asked to define the purpose of lsmod or identify its output. For example: 'What is the primary function of the lsmod command?' 'Which file does lsmod read to display its information?' These are typically multiple-choice and test basic recall.

Second, there are scenario-based troubleshooting questions. A typical scenario describes a newly installed network card that is not functioning. The output of lspci shows the device is detected, but ping fails. The candidate is then asked what command to run to check if the appropriate kernel module is loaded. The correct answer is lsmod. Variations might include showing lsmod output with certain modules missing and asking the candidate to identify the problem or the next step.

Third, there are configuration questions where the candidate must manage modules. For instance: 'An administrator needs to ensure the 'bluetooth' kernel module is loaded at boot. Which command should be used to verify it is currently loaded?' The answer is lsmod. Or: 'After using modprobe to load the 'usb-storage' module, the administrator wants to confirm it loaded successfully. What command should be used?' Again, lsmod.

Fourth, there are dependency and resource questions. The exam might display lsmod output and ask: 'Based on the output, how many modules are using the 'ext4' module?' or 'Which module is dependent on the 'kvm-intel' module?' These questions test the ability to read and interpret the Used by column.

Fifth, there are security-related questions. A scenario might describe a potential rootkit infection, and the candidate is asked to identify a command that could list unexpected kernel modules. lsmod is the answer. Alternatively, the question might show lsmod output with a suspicious module name and ask what the next step should be.

Finally, some questions integrate lsmod with other commands. For example: 'The output of lsmod shows that the 'nouveau' module is loaded. The administrator wants to remove it. What command should be used?' The answer is rmmod, and the question tests the understanding that lsmod is used to find the module name before unloading it.

Study CompTIA Linux+

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are a junior Linux administrator at a small company. A coworker has just installed a new wireless network card on a server so it can connect to a separate management network. After physically installing the card, the server does not show the new wireless interface when you run ip link. You need to figure out what is wrong.

First, you check whether the operating system even sees the hardware. You run lspci and spot a wireless controller listed. So the hardware is detected, but no driver is active. Next, you need to check which kernel modules are currently loaded. You type lsmod and scroll through the list. You see modules like e1000 for the wired network card, but you do not see anything that looks like a wireless driver module, such as iwlwifi or ath9k.

Now you know the problem: the wireless module is not loaded. You use modinfo to search for the correct module for your wireless card, and you find it is called 'iwlwifi'. You load it with modprobe iwlwifi. Then, to confirm it worked, you run lsmod again. This time, you see 'iwlwifi' in the list with a memory size of, say, 5000 bytes and zero uses (since no applications are using it yet). After loading the module, you run ip link again, and now the wireless interface appears.

This scenario is exactly what you may encounter in an exam or on the job. The key takeaway is that lsmod is the verification tool. Without it, you would be guessing whether the module loaded correctly. It provides immediate, reliable feedback, allowing you to proceed with confidence.

Common Mistakes

Thinking lsmod loads or unloads modules.

lsmod is read-only; it only lists loaded modules. Loading is done with modprobe or insmod, unloading with rmmod.

Remember that lsmod is like a checklist, it only shows what is present, it does not change anything.

Confusing lsmod output with lspci or lsusb output.

lspci lists PCI hardware devices, while lsmod lists kernel modules. A device may be detected but not have its driver loaded, so lsmod would not show it.

Use lspci to see hardware and lsmod to see active drivers. Both are needed for full diagnostics.

Assuming all modules listed by lsmod are always active or necessary.

Some modules are loaded automatically at boot even if not used. They consume memory and can be removed if not needed.

Use lsmod to identify unused modules (those with zero in Used by) and consider unloading them for optimization.

Thinking lsmod shows module parameters or version information.

lsmod only shows name, size, and usage count. For detailed info like parameters, version, or description, use modinfo.

Use modinfo <module_name> for details after you have the module name from lsmod.

Relying on lsmod for real-time changes without re-running the command.

lsmod output is a snapshot at the moment the command is run. If a module is loaded after you run lsmod, you need to run it again to see the change.

Always run lsmod again after any module loading or unloading operation to confirm the current state.

Assuming lsmod works on non-Linux systems like Windows or macOS.

lsmod is a Linux-specific command tied to the Linux kernel's module system. Other operating systems have different tools for driver management.

On Windows, use driverquery or Device Manager. On macOS, use kextstat. Know which command belongs to which OS.

Exam Trap — Don't Get Fooled

{"trap":"The exam question might ask: 'Which command is used to load a kernel module into the Linux kernel?' and include lsmod as one of the options.","why_learners_choose_it":"Because lsmod sounds like it could be short for 'load module', and learners sometimes do not memorize the exact functions of each command."

,"how_to_avoid_it":"Memorize that lsmod = list modules (read-only), modprobe = load module with dependencies, insmod = install module (manual), rmmod = remove module. The 'l' in lsmod stands for 'list', not 'load'."

Step-by-Step Breakdown

1

Open a terminal

lsmod is a command-line tool, so you need access to a terminal or SSH session on a Linux system. This step matters because without a command environment, you cannot execute the command.

2

Run lsmod with no options

Simply type 'lsmod' and press Enter. No flags or parameters are required. The command reads the /proc/modules virtual file instantly and displays the output. This is the simplest form of the command.

3

Interpret the Module column

The first column lists the name of each loaded kernel module, e.g., 'ext4', 'e1000', 'usb_storage'. Each name corresponds to a .ko file in /lib/modules. Knowing the module name is essential for further actions like unloading or getting info.

4

Interpret the Size column

The second column shows the memory size in bytes used by each module. This helps assess memory consumption. For example, a module size of 4096 means it uses 4KB of kernel memory. Large modules may impact system performance on low-memory systems.

5

Interpret the Used by column

The third column shows a number and optionally a list of other modules or processes that are currently using this module. A '0' indicates the module is loaded but not currently in use by anything else. A non-zero number plus a list shows dependencies, which is critical when you want to safely unload a module.

Practical Mini-Lesson

lsmod is more than just a command, it is a window into the Linux kernel's dynamic extension system. In practice, system administrators use lsmod constantly when working with hardware, storage, and network troubleshooting. The command itself is simple, but understanding its context within the module management ecosystem is where true skill lies.

First, professionals know that lsmod reads from /proc/modules, which is a virtual file generated by the kernel. This means lsmod does not need any special privileges to run, though some modules loaded by root may still be listed. However, interpreting the output requires knowing common module names. For instance, 'e1000' is for Intel PRO/1000 network adapters, 'ahci' is for SATA controllers, 'xfs' is for the XFS filesystem. Being familiar with these helps in quickly identifying whether the correct drivers are active.

Second, lsmod is often used in scripts. For automation, an admin might write a script that runs lsmod, greps for a specific module, and based on the result, takes action. For example, a monitoring script could check if the 'iommu' module is loaded and alert if not. The command output can be parsed because it is consistently formatted.

Third, when things go wrong, lsmod helps isolate problems. If a module fails to load, it will not appear in lsmod output. You can then check dmesg for kernel error messages. If a module is loaded but hardware still does not work, the module might need parameters, which you can set via modprobe configuration files in /etc/modprobe.d/.

Finally, professionals understand persistence. Modules loaded via modprobe or insmod are only active until the next reboot unless they are added to a configuration file like /etc/modules or a modprobe config. lsmod does not show which modules are configured to load at boot, it only shows what is loaded right now. So a common workflow is: load a module with modprobe, verify with lsmod, test the hardware, and if successful, add the module name to a persistent config file.

Memory Tip

Remember: lsmod = List System MOdules. The 'l' is for 'list', not 'load'.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

XK0-005XK0-006(current version)

Related Glossary Terms

Frequently Asked Questions

Does lsmod require root privileges?

No, lsmod does not require root privileges because it only reads the public /proc/modules file. Any user can run it to see the list of loaded modules.

What is the difference between lsmod and modprobe -l?

lsmod shows currently loaded modules, while modprobe -l lists all available modules that can be loaded, even if they are not currently active. They serve different purposes.

How can I see module dependencies using lsmod?

The 'Used by' column in lsmod output shows which modules depend on each module. A list of dependent module names appears after the number, showing the dependency chain.

Can lsmod show me the path to the module file?

No, lsmod does not show file paths. To find the location of a module's .ko file, use the 'modinfo -n <module_name>' command.

Why would a module be listed with a size of 0?

A size of 0 is rare but can indicate a built-in module that is part of the kernel image itself, not a loadable module. lsmod may still list it for informational purposes.

Is there a Windows equivalent of lsmod?

Yes, the Windows equivalent is 'driverquery' which lists all device drivers and their status. Another tool is 'sc query' for services, but kernel modules are closest to Windows kernel-mode drivers.

Summary

lsmod is a fundamental Linux command that lists the kernel modules currently loaded into the operating system. It reads the /proc/modules virtual file and presents a simple table showing module names, memory sizes, and usage dependencies. This command is essential for system administrators because it provides immediate insight into which hardware drivers, filesystem support, and other kernel extensions are active at any moment.

Understanding lsmod is critical for certification exams such as CompTIA Linux+, RHCSA, and LPIC-1, where module management is a core objective. Exam questions test your ability to use lsmod for verification after loading or unloading modules, to interpret dependency information, and to troubleshoot hardware issues. A common trap is confusing lsmod with modprobe, so remember that lsmod is only for listing, not loading.

In real-world IT, lsmod helps diagnose failed hardware, optimize memory usage by unloading unnecessary modules, and detect potential security threats like unauthorized kernel modules. Mastering lsmod, along with modprobe, rmmod, and modinfo, gives you the skills to manage the Linux kernel's dynamic behavior confidently. Whether you are studying for an exam or administering a production server, lsmod is a tool you will use again and again.